Problem Space and Special Characteristics of Security Testing in Live and Operational Environments of Large Systems Exemplified by a Nationwide IT Infrastructure

The paper discusses foundations and requirements for testing security robustness aspects in operational environments while adhering to defined protection values for data. It defines the problem space and special characteristics of security testing in large IT infrastructures. In this area there are different environments with varying characteristics, e.g., regarding confidentiality of data. Common environments based on an existing IT project are defined. Testing in dedicated test environments is state of the art, however, sometimes this is not sufficient and testing in operational environments is required. Case studies showed many restrictions in the security test process, e.g., limited access for testers, which have to be addressed. The problems of testing in these operational environments are pointed out. Experiences and some current solution approaches for testing these special environments are shown (e.g., usage of disaster/recovery mechanism).